Password reset system in PHP

One very important feature of any good membership website is a password reset system because some users are bound to forget their password. In this tutorial, I outline the steps involved in recovering a user's password; we will also be implementing such a system using PHP and a MySQL database in this tutorial.

The whole process of implementing such a system can be broken down into 3 main steps. To ease the explanation, let's analyze these steps in terms of the forms that we will present for the user to fill:

Login Form: This form takes the username and password combination of a user and logs them in if they are registered on the system. On this form we provide a "Forgot your password?" link in case the user forgot their password and need to reset it.

Email Form: If the user has forgotten their password, they can click on the "Forgot your password?" link on the login page to reset it. Clicking on this link will take them to another page that prompts them to enter the email. When the email address they provide is not in our users table in the database, we will display and error message which says "No such user exists on our system". If on the other hand the user exists, we will generate a unique token (a unique random string) and store this token together with that email address in the password_resets table in the database. Then we will send them an email that has that token in a link. When they click on the link in the email we sent them, they will be sent back to our website on a page that presents them with another form.

New password Form: Once the user is back on our website again, we will grab the token that comes from the link and store it in a session variable. Then we will present them with a form that asks them to enter a new password for their account on our website. When the new password is submitted, we will query the password_resets table for the record that has that token that just came from the link in the mail. If the token is found on the password_resets table, then we are confident that they user is who they are and they clicked on the link in their mail. At this point now we grab the user's email from the password_resets (remember we had saved the token alongside their email address) table and use that email fetch the user from the users table and update their password.

Hope that's clear enough. If not then just stick around and it will become clearer as we implement.

Implementation

Create a database called password_recovery and in that database, create two tables namely users and password_resets with the following fields:

Note: This application requires that the user already be registered on the system. But, we won't be covering the user registration part in this tutorial because it has already been covered on this site. You can follow that tutorial first (I recommend you do) or not, but keep in mind that we need to have a user in our users table in the database before we can proceed to reset their password. So one way or the other, add a user to your mysql database. You may use a tool like PHPMyAdmin and make sure you encrypt the password using md5().

Now create a project folder called password-recovery and make sure this folder is in your server directory (htdocs folder or www folder). In that folder, create three files namely: login.php, enter_email.php, new_pass.php:

Each of these three files represent the three steps we outlined earlier. Open each of them and paste the following codes in them:

In each of these files, you see that we are including three files which we haven't yet created, namely the app_logic.php , messages.php,file and main.css. The first handles all the logic of our application such as querying the database, sending email to user and more; the second displays feedback messages to the user such as when they enter a wrong email, the third is the styling of the application.

Create these files in the password-recovery folder. In the main.css file, add this styling code:

Here you see three blocks of if statements. These statements handle three actions namely user login, receiving reset email and receiving new password. In the second block, after receiving the user email address, the user is being redirected to a pending.php page. This page simply displays a message telling the user that an email has been sent to their email address which they can use to reset their password.

Create pending.php in the root folder of our project and add this code inside it:

Conclusion

Thank you for following this tutorial to the end. I hope the explanation was clear enough and you learned something that can be of help to you in you web development. If you have any issues or concerns, don't forget to drop them in the comments below and I'll get to you.